Observe it. Tune it. Prove it held.
A security gate is only as good as your ability to run it. Runelm ships the operational surface a regulated team needs on day one — a dashboard, safe rule-tuning, rate limiting, tamper-evident audit, metrics, and a hardened container.
A gate you can watch, tune, and prove.
Classification is the easy half. Operating it — seeing what was blocked, tuning rules without leaking, proving the log was not tampered with — is the half that ships here too.
Observability dashboard
A read-only web console on the same port: live audit feed, classification distribution, active sessions, and the running config with secrets redacted. No extra stack to deploy.
Audited config editing
Edit the keyword blocklist, custom regex patterns, and per-caller overrides from the console. Every mutation writes an audit row before it takes effect.
Dry-run corpus replay
Replay up to 100 real prompts through POST /v1/dryrun or the CLI to tune rules safely — per-prompt levels and entity counts, zero upstream calls, no stored prompt text.
Rate limiting + anomaly watch
Per-caller sliding-window limits — refused-to-disable in production — plus a classification-distribution-shift signal surfaced on every response via X-Runelm-Anomaly.
HMAC key rotation
Rotate the audit secret across epochs with runelm audit rotate-hmac-secret. The tamper-evident hash chain stays verifiable end-to-end through the re-key.
Prometheus metrics + alerts
Scrape /metrics for classification, routing, block, and latency series. Ships with a documented alert ruleset for the signals that actually matter.
Pluggable audit backends
Pick where the hashed audit trail lands — and compose wrappers for durability and throughput. Prompt text is never written; only the HMAC, the decision, and the metadata.
- memory
- ephemeral — development only
- sqlite
- single-node durable store
- hash_chain_file
- tamper-evident, HMAC hash-chained
- loki
- ship to Grafana Loki with retention
- s3_object_lock
- write-once, compliance-grade retention
- composite
- fan out to several, durable fallback
- batching
- wrapper — buffer writes for throughput
- retry
- wrapper — survive a transient outage
The hash-chained and S3-Object-Lock backends are tamper-evident: runelm audit verify walks the chain from genesis and reports the first divergence. Every read of the audit log is itself audited — audit-on-audit.
Operate from the terminal
Everything in the dashboard is also a command. Operators who prefer the terminal never need the UI.
- $ runelm audit tail --follow # live, hashed audit feed
- $ runelm audit verify # walk the tamper-evident chain
- $ runelm audit rotate-hmac-secret # re-key without losing the chain
- $ runelm dryrun --corpus=traffic.jsonl # replay a corpus, no upstream calls
- $ runelm override set --principal=fin-bot --min-level=HIGH --expires=30d
- $ runelm engagement close acme-q3 --reason=engagement-ended
- $ runelm vacuum # sweep expired substitution maps
Hardened by default
The Helm chart and container ship locked down — fail-closed posture extends to the runtime, not just the classifier. Scrape /metrics, point it at your secret store, and deploy.
- ᛜRuns as a non-root user
- ᛜRead-only root filesystem
- ᛜAll Linux capabilities dropped
- ᛜseccomp: RuntimeDefault